Overview

overview

10

Static

static

3

5022d0bbd3...18.exe

windows7-x64

10

5022d0bbd3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    5022d0bbd3bc79e688f26ab39736a180

  • SHA1

    2ff4398f048b9cfb5adb80b37672f33eea695d39

  • SHA256

    4d7f60f5f9cd63e753868459d0468b2925cdad0dc9dd53f889e662aa428efebf

  • SHA512

    93dd1c76d0579233817af20f495f836eb40e14253ccc048eccc932edc8731ab47443941b4d0fb66e6ef20f0e3ae8f7899d699a0b5a164d4f96b333d6d5c91524

  • SSDEEP

    6144:JgRHAU4b69faujFyMM3mH1FE+yBFSDhvKHpuEskuTpUSZT3c:Jg12H3mH14BFSDhZEBuTpUw3

Score
10/10
njratdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\skype.exe
        "C:\Users\Admin\AppData\Local\Temp\skype.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\skype.exe" "skype.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2564
    • C:\Users\Admin\AppData\Local\Temp\Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Crypter.exe
    Filesize

    884KB

    MD5

    dcfb7a85ade58b4541c18ca6e2acfc60

    SHA1

    f8fb98bbf730487d233e4d1e45a056db48b3067e

    SHA256

    c35b90eb66cc4c546ce2c373fe01679911576565a596bae16058bcb1bb8c020f

    SHA512

    439c42825c60366650e6bd6a811cac7bbaeac107c95f00d2e8190273a3cb9a971b7f3d9194f13fdc1f049ff34d1fbcdc9cac49f1fedc79a71c00913e1330ee14

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    28KB

    MD5

    333530806a51f2b7148063bbfc5fde0c

    SHA1

    471f3277d3734b5ab733cc191e7ce93a894f7ff9

    SHA256

    68b5ba555c551ccbcefb405dd5baf00f186f50c8678c0f389ba39506319f3c0f

    SHA512

    54117f2047b8b3c34c123dbc3ce6982da672d674b6240e3a8e71c04fc31b8e5c34bc3eb310c245098fa14b398507e7ceaf50d8043a048a333a3c2bcd532a2813

    Download Submit

  • memory/2628-3-0x0000000000A40000-0x0000000000B2E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2628-0-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-5-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-2-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-1-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-18-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2700-17-0x0000000074CA1000-0x0000000074CA2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-21-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2700-20-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2700-30-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-23-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-19-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-32-0x0000000074CA0000-0x000000007524B000-memory.dmp

    Filesize

    5.7MB

    Download